Big healthcare breaches affected millions before Anthem's hack

Insurance giant Anthem reported last week that unidentified hackers had managed to infiltrate a database containing personal information on as many as 80 million customers and employees. The hack is the largest healthcare breach yet and highlights the importance of multifaceted cybersecurity measures for protecting sensitive patient data.

Even though the Anthem breach dwarfs the rest, HHS has recorded 10 more that affected at least 1 million people. The department's Office for Civil Rights requires disclosure for data breaches affecting more than 500 individuals and posts the information on its website, which now has more than 1,100 entries. Excluding the Anthem hack, which is not yet listed, the 10 largest ones combined exposed the protected data of 23.4 million patients.

1. In 2011, military health system Tricare reported that records for 4.9 million patients were breached when a contractor for the system's insurance carrier, Tricare Management Activity, lost backup tapes used to store electronic health-record data for patients in the San Antonio area. The contractor, Science Applications International Corp. (now Leidos), said the tapes were stolen from the car of an employee transporting them to an off-site storage facility. The breach sparked a $4.9 billion class-action lawsuit. All but two of the cases were dismissed in 2014.

2. Franklin, Tenn.-based Community Health Systems, an investor-owned company that operates 206 hospitals in 29 states, reported a breach affecting over 4.5 million patients in August 2014. The breach was the result of a cyberattack that cybersecurity experts believe exploited a software bug, Heartbleed, discovered in 2014. The attack was traced to China. Officials believe the hackers were seeking intellectual property on medical devices but instead made off with nonmedical protected patient data including Social Security numbers, names, addresses and dates of birth.

3. Advocate Health Care, Downers Grove, Ill., reported the theft of four computers from one of its physician groups in August 2013. The computers contained the unencrypted medical records of over 4 million patients. It was not Advocate's first breach. In 2009, a thief stole an unencrypted laptop holding data on 812 patients. The health system said the encryption protocol established after the 2009 theft had not yet been deployed in the offices affected in the 2013 theft.

4. The Texas Health and Human Services Commission sued Xerox Corp. in May 2014, alleging Xerox had jeopardized the protected health data of nearly 2 million Texas Medicaid patients by refusing to hand over patient records after the state terminated its contract with Xerox's Medicaid claims administration unit. Xerox also copied and removed patient data and allowed other vendors and its lawyers to access it. The state said Xerox's actions put the state out of compliance with federal HIPAA regulations.

9. Nemours, a healthcare system based in Wilmington, Del., lost a storage cabinet containing unencrypted backup tapes bearing patient billing and employee payroll data for over 1.6 million individuals. The HHS website reports nearly 1.1 million individuals' protected health data was potentially compromised. The cabinet was lost in the course of remodeling.